Quantum Cryptography: from Theory to Practice 
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Quantum cryptography can, in principle, provide unconditional security guaranteed by the law 
of physics only. Here, we survey the theory and practice of the subject and highlight some recent 
developments. 
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"The human desire to keep secrets is almost as old as 
writing itself." [l[ With the advent in electronic com- 
merce, the importance of secure communications via en- 
cryption is growing. Each time when we go on-line for 
internet banking, we should be concerned with commu- 
nication security. Indeed, methods of secret communi- 
cations were used in many ancient civilizations includ- 
ing Mesopotamia, Eqypt, India and China. Legends say 
that Julius Caesar used a simple substitution cipher in 
his correspondences. Each letter is replaced by a letter 
that followed it three places alphabetically. For instance, 
the word LOW is replaced by ORZ because the first let- 
ter "L" in LOW is replaced by L -> M -> N -> O, etc. 
Regardless of the size of the shift, the illustrated method 
is still called Caesar's cipher. 

Let us introduce the general problem of secure commu- 
nication. Suppose a sender, Alice, would like to send a 
message to a receiver, Bob. An eavesdropper, Eve, would 
like to learn about the message. How can Alice prevent 
Eve from learning her message? 

A standard method is encryption. Alice uses her en- 
cryption key (some secret information) to transform her 
message (a plaintext) into something (a ciphertext) that 
is unintelligible to Eve and sends the ciphertext through 
a communication channel. Bob, with his decryption key, 
recovers Alice's message from the ciphertext. For in- 
stance, in Caesar's cipher, the key takes a value between 
1 and 26, which denotes the size of the shift. 

Since encryption machines may be captured, in modern 
cryptography, it is standard to assume that the encryp- 
tion method is known and the security of the message lies 
on the security of the key. For instance, we assume that 
Eve knows that Caesar's cipher is being used, but she 
does not a priori know the value of the key. Note that 
Caesar's cipher is not that secure because the number of 
all possible key values is so small (only 26) that Eve can 
easily try all possible values. 

Throughout the history of cryptography, many ciphers 
have been invented and believed for a while to be un- 
breakable. Almost all have subsequently been broken, 



with disastrous consequences to the unsuspecting users. 
For instance, in the Second World War, the Allies' break- 
ing of the German Enigma code contributed greatly to 
the ultimate victory of the Allies. The first lesson in 
cryptography is: never under-estimate the ingenuity and 
efforts that your enemies are willing to spend on breaking 
your codes. 

Unbreakable codes do exist in conventional cryptogra- 
phy. They are called one-time pads and were invented by 
Gilbert Vernam in 1918: A message is first converted into 
a binary form (i.e., a string consisting of O's and l's) by 
a publicly known method. The key is another sequence 
of O's and l's of the same length. For encryption, Al- 
ice combines each bit of the message with the respective 
bit of the key by using addition modulo 2 to generate 
the ciphertext. For decryption, Bob combines each bit of 
the ciphertext with the respective bit of the key by using 
addition modulo 2 to generate the plaintext. 

For one-time pad to be secure, it is important that 
a key is never re-used. This is why it is called a one- 
time pad. Why re-using a key would make the scheme 
insecure? Suppose the same key, k, is used to encrypt 
two different messages, mi and m^- Then, the cipher- 
texts, c\ — m\ © k and C2 = m 2 © k, are transmitted 
in public. An eavesdropper can simply take the addition 
modulo 2 of the two cipher-texts to obtain c\ © C2 = 
mi © k © m 2 © k = mi © mi. But, this allows Eve to 
learn some non-trivial information, namely the parity, 
about the two original messages. 



I. KEY DISTRIBUTION PROBLEM 

The one-time pad has a serious drawback: it pre- 
supposes that Alice and Bob share a random string of 
secret, a key, before the actual transmission of the mes- 
sage. So, the introduction of the one-time pad shifts the 
problem of secure communication to the problem of se- 
cure key distribution. This is called the key distribution 
problem. In top secret applications, key distribution is 
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often done by trusted couriers. Recall that in one-time 
pad, a key must be as long as a message. Sending long 
keys by trusted couriers is clearly rather inconvenient. 

All conventional (classical) key distribution schemes 
are fundamentally insecure because there is nothing to 
prevent an eavesdropper from making a copy of the key 
during the key distribution process. Indeed, trusted 
couriers could be bribed or compromised. So, the users 
can never be sure about the security of a key. 

How may one solve the key distribution problem? 
Around 1970s, mathematicians invented public key cryp- 
tography. In public key cryptography, there are two dif- 
ferent sets of keys, the encryption key and the decryption 
key. The encryption key can be broadcast in public (e.g., 
published in a phone book) whereas the decryption key 
has to be kept secret. Public key cryptography allows 
two parties who have never met before to communicate 
securely. 

Unfortunately, the security of public key encryption 
schemes is often based on unproven computational as- 
sumptions. For instance, the security of standard RSA 
encryption scheme is based on the presumed hardness of 
factoring a large composite number. Such an assump- 
tion may be broken by unanticipated advances in algo- 
rithms and hardware. For instance, in 1994 Peter Shor, 
then at AT&T, found an efficient quantum algorithm for 
factoring. [2J Therefore, "if a quantum computer is ever 
built, much of conventional cryptography will fall apart!" 
(Gilles Brassard). 

You may think, "since we do not have a quantum com- 
puter yet, perhaps, we should not worry about this prob- 
lem until a quantum computer has been built." Not so. 
For instance, Canada has kept census information secret 
for 92 years on average. An eavesdropper may save mes- 
sages sent by you in 2007 and try to decrypt them in 
2099. And, who knows whether we will have a quantum 
computer by 2099? 



III. BB84 PROTOCOL: THE IDEAL CASE 

The best-known quantum key distribution (QKD) pro- 
tocol (BB84) was published by Bennett and Brassard in 
1984 Q, while its idea goes back to Wiesner. [1] The 
basic tool are a quantum channel connecting Alice and 
Bob and a public classical channel, where Eve is allowed 
to listen passively, but not allowed to change the trans- 
mitted message. For the quantum channel, we use four 
signal states. For simplicity, let us for now regard the 
signals as realized by single photons in the polarization 
degree of freedom. Consider two sets of orthogonal sig- 
nals, one formed by a horizontal and a vertical polarized 
photon, and the other formed by a 45-degree and 135- 
degree polarized photon. These four polarized states are 
non-orthogonal. The overlap probability between signals 
from two different sets is one half. Bob has two mea- 
surement devices at his hand, one in the rectilinear (i.e., 
vertical/horizontal) basis and one in the diagonal (i.e., 
45-degree/135-degree ) basis. Notice that Bob's two mea- 
surements do not commute. 

The procedure of BB84 is as follows. See Figured] 
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FIG. 1: Schematics of the BB84 protocol. [j| 



II. QUANTUM KEY DISTRIBUTION 

It is fortunate that quantum mechanics can also come 
to the rescue. Unlike conventional cryptography, the 
Holy Grail of quantum cryptography (code-making) is 
unconditional security, that is to say, security that is 
based on the fundamental law of quantum mechanics, 
namely that information gain generally implies distur- 
bance on quantum states. 

How does quantum key distribution work? Intuitively, 
if an eavesdropper attempts to learn information about 
some signals sent through a quantum channel, she will 
have to perform some sort of measurement on the signals. 
Now, a measurement will generally disturb the state of 
those signals. Alice and Bob can catch an eavesdropper 
by searching for traces of this disturbance. The absence 
of disturbance assures Alice and Bob that Eve almost 
surely does not have any information about the trans- 
mitted quantum signals. 



1. Phase I (Quantum Communication Phase) 

(a) Alice sends a sequence of signals, each randomly 
chosen from one of the above four polarizations. 

(b) For each signal, Bob randomly chooses one of the 
two measurement devices to perform a measurement. 

(c) Bob confirms that he has received and measured 
all signals. 

2. Phase II (Public Discussion Phase) 

(a) Alice and Bob announce their polarization bases 
for each signal. They discard all events where they use 
different bases for a signal. 

(b) Alice randomly chooses a fraction, p, of all re- 
maining events as test events. For those test events, she 
transmits the positions and the corresponding polariza- 
tion data to Bob. Bob compares his polarization data 
with those of Alice and tells Alice whether their polar- 
ization data for the test events agree. 

(c) In case of agreement, Alice and Bob convert the po- 
larization data of the remaining set of events into binary 
form, e.g., they call all horizontal and 45-degree signals 
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a "0" and all vertical and 135-degree signals a " 1" . Such 
a generated binary string is now their secret key. 

The hrst phase of the protocol uses signals and mea- 
surements via the quantum channel. Alice keeps a clas- 
sical record of the signal states she sent. Similarly, Bob 
keeps a classical record of the measurement devices he 
has chosen together with his measurement outcomes. 

The second phase of the protocol uses a public classical 
channel. An eavesdropper may try to break the scheme 
by launching a man-in-thc-middle attack where she im- 
personates as Alice to Bob and impersonates as Bob to 
Alice. To prevent this attack, Alice and Bob should au- 
thenticate the data sent in their classical channel. For- 
tunately, efficient classical authentication methods exist. 
To authenticate an M-bit message, Alice and Bob only 
need to consume a key of order logM bits. In summary, 
starting from a short pre-shared key, Alice and Bob can 
generate a long secure key by using quantum key distri- 
bution. They can keep a small portion of it for authenti- 
cation in a subsequent round of quantum key distribution 
and use the rest as a key for one-time pads. The fact that 
there is no degradation of security by using this new se- 
cure key is called composability and has been proven in 
Q , provided that one uses a proper definition of security. 
See, e.g. As a result, we should strictly speak of 

QKD as quantum key growing. 

The BB84 protocol is only one example of a QKD pro- 
tocol. Actually, there are many QKD protocols, as nearly 
any set of non-orthogonal signal states together with a set 
of non-commuting measurement devices will allow secure 
QKD. [?} These protocols differ, however, in their sym- 
metry that simplifies the security analysis, in the ease 
of their experimental realization and in their tolerance 
to channel noise and loss. Independent of Bennett and 
Brassard's work, Ekert proposed a QKD protocol (Ekert 
91) based on Bell's inequalities M. In 1992, Bennett pro- 
posed a simple protocol (B92) [S| that involves only two 
non-orthogonal states. A protocol of particularly high 
symmetry is the six-state protocol. 



IV. BB84 PROTOCOL IN A NOISY 
ENVIRNOMENT 



In order to address these two problems, Alice and Bob 
have to perform classical post-processing of their raw 
keys. First, Alice and Bob may perform error correc- 
tion to correct any error in the raw key. Now, they share 
a reconciled key on which Eve may have partial informa- 
tion. Second, they may perform so-called privacy ampli- 
fication. That is to say, they apply a function on their 
reconciled key to map it into a final key, which is shorter, 
but is supposed to be almost perfectly secure. 

Proving the security of QKD in a noisy setting was a 
very hard problem. This is because instead of attack- 
ing Alice's signals individually, Eve may conduct a joint 
attack. In the most general attack, Eve may couple all 
the signals received from Alice with her probe and evolve 
the combined system by some unitary transformation and 
then send parts of her systems to Bob, keeping the rest 
in her quantum memory. She then listens to all the pub- 
lic discussion between Alice and Bob. Some time in the 
future, Eve may perform some measurement on her sys- 
tem to try to extract some information about the key. 
A priori, it is very hard to take all possible attacks into 
account. 

It took more than 10 years, but the security of QKD in 
a noisy setting was finally solved in a number of papers. 
In particular, Shor and Preskill [l(| have unified the ear- 
lier proofs by Mayers [ll|, and by Lo and Chau [l3[ , 
by using quantum error correction ideas. [Lo and Chau's 
proof uses the entanglement distillation approach to se- 
curity proof, proposed by Deutsch et al. [14j|.] Shor and 
Preskill showed that BB84 is secure whenever the error 
rate (commonly called quantum bit error rate, QBER) is 
less than 11 percent. Allowing two-way classical commu- 
nications between Alice and Bob, Gottesman and Lo [l5[ 
have shown that BB84 is secure whenever the QBER is 
less than 18.9 percent. Subsequently, Chau [l6[ extended 
the secure region up to 20.0 percent. An upper bound 
on the tolerable QBER is also known: BB84 is known to 
be insecure when observed correlations contain no quan- 
tum correlations anymore [l7j , which hap pens when the 
average QBER is above 25 percent. [18] A major open 
question is the following: What is the threshold value of 
QBER above which BB84 is insecure? Is there really a 
gap between the 20% and the 25%? 



The idealized BB84 protocol described above will not 
work in any practical realizations. Even when there are 
no eavesdropping activities, any real quantum channel is 
necessarily noisy due to, for instance, some misalignment 
in a quantum channel. As a result, Alice and Bob will 
generally find a finite amount of disturbance in their test 
signals. Since Alice and Bob can never be sure about the 
origin of the disturbance, as conservative cryptographers, 
we should assume that Eve has full control of the chan- 
nel. Therefore, we are faced with two problems. First, 
the polarization data of Alice may be different from those 
of Bob. This means that their raw keys are different. Sec- 
ond, Eve might have some partial information on those 
raw keys. 



V. BB84 WITH PRACTICAL SOURCE IN 
NOISY AND LOSSY ENVIRONMENT 

Real-life QKD systems suffer from many type of imper- 
fections. While single photon sources may well be very 
useful for quantum computing, it is important to note 
that single photon sources are not needed for QKD. This 
is good news because currently single photon sources are 
rather impractical for QKD. 

(a) Source: It is rather common to use attenuated laser 
pulses as signals. Those attentuated laser pulses, when 
phase randomized, follow a Poissonian distribution in the 
number of photons, i.e., the probability of having n pho- 
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tons in a signal is given by Pfi[ri) = e~ M /i™/n where /z, 
chosen by the sender, Alice, is the average number of 
photons. 

For instance, if we use ji = 0.1, then most of the pulses 
contain no photons, some contain single photons and a 
fraction of order 0.005 signals contains several photons. 

(b) Channel: A quantum channel, e.g. an optical fiber 
or open air, is lossy as well as noisy. 

(c) Detector: Detectors often suffer false detection 
events due to background and so-called intrinsic dark 
counts. Moreover, some misalignment in the detection 
system is inevitable. 

Let us consider what happens when we use attenu- 
ated laser pulses, rather than perfect single photons, as 
the source in BB84. [HI, The vacuum component 
of the signal reduces the signal rate since no signal will 
be detected by Bob. The single photon component of 
the signal works ideally. The problematic part are the 
multi-photon signals. Essentially, each multi-photon sig- 
nal contains more than one copy of the polarization in- 
formation, thus allowing Eve to steal a copy of the in- 
formation without Alice and Bob knowing it. More con- 
cretely, the presence of multi-photon signals allows Eve 
to perform the photon-number- splitting (PNS) attack. In 
the PNS attack, Eve performs a quantum non-demolition 
measurement of the number of photons on each signal 
emitted by Alice. Such a measurement tells Eve exactly 
the number of photons in a signal without disturbing its 
polarization. Now, Eve can act on the signal depend- 
ing on the total number of photons. If she finds a vac- 
uum signal, she can resend it to Bob without introducing 
any additional errors. If she finds a multi-photon signal, 
she splits off one photon and keeps it in her quantum 
memory and sends the remainder to Bob. Note that 
when Eve sends the reminder to Bob, she may replace 
the original lossy quantum channel by a lossless channel. 
In other words, Eve may effectively introduce photon- 
number-dependent loss in the channel. Eve's splitting 
action does not disturb the signal polarization either in 
the photon she splits off, nor in the photon she sends on. 
Later in the protocol Alice will reveal the polarization 
basis of the signal. This will allow Eve to perform the 
correct measurement on the single photon she split off, 
thereby obtaining perfect information about the polar- 
ization of Alice's signal. 

The remaining signals are single-photon signals. Re- 
call that in the PNS attack, Eve has enhanced the trans- 
mittance of multi-photon signals by replacing the origi- 
nal lossy quantum channel by a lossless one. Therefore, 
in order to match the effects of the original loss in the 
channel, Eve has to suppress some of the single photon 
signals. That is to say she has to send a neutral signal 
to Bob that will cause no errors and look like loss. Of 
course, the vacuum signal does this job here. The ex- 
act rate of the suppressed signals depends on the mean 
photon number of the source and the loss in the channel. 

On those single-photon signals that she does not block, 
Eve may perform any coherent eavesdropping attack. 



This means that in the worst case scenario, all the er- 
rors arise from eavesdropping in single-photon signals. 

In the recent years, several groups developed experi- 
mental demonstrations of QKD using imperfect devices. 
QKD experiments have been successfully performed over 
about 100km of commercial Telecom fibers and also 
about 100km of open-air. There have even been serious 
proposals for performing satellite to ground QKD exper- 
iments, thus enabling a global quantum cryptographic 
network through trusted satellites. One fiber-based QKD 
set-up by the Cambridge group is shown in Figure [5] 
Fiber-based QKD systems have matured over the recent 
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FIG. 2: Schematics of actual QKD experiments with phase- 
encoding of signals. The figure is from [20( (Courtesy of A. 
Shields). 

years so that at least two firms, id Quantique and MagiQ, 
manufacture them in a commercial setting. 

It is important to notice that a security proof 
that takes into account all the above imperfections 
has been given by Gottesman-Lo-Lutkenhaus-Preskill 
(GLLP) [2l| . building on earlier work by Inamori, 
Liitkenhaus and Mayers [22]. As we pointed out before, 
it is not "more secure" to use single-photon sources. In 
fact, at present, it is much more practical to use laser 
pulses, rather than single-photon sources. Another im- 
portant issue to mention here is that security proofs as- 
sume models for sending and receiving devices (though 
not for the quantum channel). One has therefore always 
to check that these models fit the real physical devices. 



VI. NEW METHODS 

The rough behaviour of the signal rate according to 
GLLP is easily understood. For low and intermediate 
losses, one can ignore the effects of errors, and the secret 
key rate can be understood in terms of the multi-photon 
probability of the source, p m uiti, and the observed prob- 
ability that Bob receives a signal, p re c- 
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Assuming a Poissonian photon number distribution for 
the source with mean photon number /i, we find p m uiu = 
1 — (1 + //) exp(— fi), and, assuming that we observe a 
probability p rec as in a standard optical transmission 
with single photon transmittivity n such that p rec = 
1 — /^7yexp(— /iry), we can perform a simple optimization 
over \x and find the choice fi opt ~ n. Therefore, we find 
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This key generation is rather low compared to the com- 
munication demand on optical fiber networks. Moreover, 
due to the detector imperfections, at some point the dark 
counts of the detectors kick in so that we find an effective 
cut-off at distances around 20-40 km. In summary, stan- 
dard implementations of QKD arc limited in distances 
and key generation rates. There are several approaches 
to solving these problems. 



A. Decoy state QKD 

The first and simplest approach is decoy state QKD 
[23L [241 . [25l | In addition to signal states of average pho- 
ton number fi, Alice also creates decoy states of various 
mean photon numbers v\, i>2, etc. For instance, Alice 
may use a variable attenuator to modulate the inten- 
sity of each signal. Consequently, each signal is chosen 
randomly to be either a signal state or a decoy state. 
Given an n-photon signal, an eavesdropper has no idea 
whether it comes from a signal state or a decoy state. 
Therefore, any attempt for an eavesdropper to suppress 
single-photon signals in the signal state will lead also to a 
suppression of single-photon signals in the decoy states. 
After Bob's acknowledgement of his detection of signals, 
Alice broadcasts which signals are signal states and which 
signals are decoy states and what types. By computing 
the gain (i.e., the ratio of the number of detection events 
to the number of signals sent by Alice) and the QBER of 
the decoy state, Alice and Bob will almost surely discover 
such a suppression and catch Eve's eavesdropping attack. 
As shown by Lo et al. [24| , in the limit of infinite num- 
ber of choices of intensities of the decoy states, the only 
eavesdropping strategy that will produce the correct gain 
and QBER for all secretly chosen average photon num- 
ber is a standard beam-splitter attack. As a result, decoy 
state QKD allows a dramatically higher key generation 
rate, R — 0(rj), compared to R — 0(r/ 2 ) for non-decoy 
protocols as well as a much higher distance for uncondi- 
tionally secure QKD with a practical QKD system. See 
Figure [3] 

How many decoy states are needed? It has been shown 
that only one or two type of decoy states are needed 
for practical protocols. [25|, H3] The first experimental 
demonstrations of decoy state QKD has been done. [28| 
Given its simplicity, we expect decoy state QKD to be- 
come a standard technique in the field. Indeed, many 
follow-up experiments have now been performed. 



B. QKD with strong reference pulses 

The second approach is based on the strong reference 
pulses idea, dating back to Bennett's 1992 paper. @ 
The idea is the following. In addition to a phase mod- 
ulated weak signal pulse, Alice sends also a strong un- 
modulated reference pulse to Bob through a quantum 
channel. Quantum information is encoded in the rela- 
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FIG. 3: Key rates for the experimental set-up in [2(| using the 
GLLP results [2l[ with and without the use of decoy states. 



tive phase between the two pulses — the strong reference 
pulse and the signal pulse. Bob splits off a small part of 
the strong reference pulse and uses it to interfere with 
the signal pulse to measure the relative phase between 
the two. In addition, Bob monitors the intensity of the 
remainder of each strong reference pulse. Since the refer- 
ence pulse is strong, such monitoring can be done easily 
by, for instance, a power-meter. 

The idea behind this protocol is to make sure that Eve 
does not have a neutral signal at her hand which would 
allow her to suppress signals at will without causing an 
error rate. (Such a neutral signal plays a crucial role 
in the PNS attack in addition to the multi-photon sig- 
nals!) Suppose Eve performs some attacks such as the 
PNS attack on the signal pulse. For some measurement 
outcomes, she would like to selectively suppress the signal 
pulse. But how could she do that? 

If Eve significantly suppresses the strong reference 
pulse, Bob's intensity measurement of the reminder of 
the strong reference pulse will find a substantially lower 
value than expected. On the other hand, if Eve does not 
significantly suppress the strong reference pulse but only 
suppresses the signal pulse, then when Bob measures the 
relative phase between the strong reference pulse and the 
signal pulse, he will find a random outcome (for all con- 
clusive events). So either way, Eve is in trouble. 

In a number of recent papers, it has been proven rigor- 
ously that QKD with strong reference pulses can achieve 
a key generation rate R = 0(i]). [29|, [3(| Nonethe- 
less, those proofs require Bob's detection system with 
certain suitable properties (one proof requires Bob has 
a local oscillator that has been mode-locked to Alice's 
strong reference pulse, another requires Bob has a pho- 
ton detector that can distinguish multi-photon signals 
from single photons). Therefore, they do not apply to 
standard "threshold" detectors that do not distinguish 
single-photon signals from multi-photons. 
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C. Differential Phase Shift QKD 

A third approach to increase the performance of QKD 
devices is the the differential phase shift (DPS) QKD pro- 
tocol. 31] Here one uses a coherent train of laser pulses 
where the bit information is encoded into the relative 
phase between the pulses. But each pulse belongs there- 
fore to two signals! Though Eve can split photons off the 
signal trains, these will remain in non-orthogonal signal 
states and therefore reveal not their full information to 
Eve! (A similar effect exists already in the B92 protocol 
with a strong reference phase!) In the DPS-QKD proto- 
col Eve is now also hampered again with the suppression 
of signal states as such a procedure would require to break 
the pulse train - which causes errors. The same holds for 
a related scheme using time-bins. (32| 

Experimental implementations of DPS QKD have been 
performed. [331 ] At present, a rigorous proof of the un- 
conditional security of differential phase shift QKD is still 
missing. 

VII. CONCLUDING REMARKS 

Owing to space limit, we have not talked much about 
other QKD implementations, such as those based on 
parametric down conversion sources, nor new detectors 
such as superconducting single-photon detectors (SSPDs) 
and transition-edge sensor (TES) detectors. We have 
omitted also the emerging field of continuous variable 
QKD systems which make use of homodyne or hetero- 
dyne detection. 

Security of QKD is a very slippery subject and one 
should work extremely carefully. Regarding a careful 
analysis and the formulation of security, see [6( • For nec- 
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essary and sufficient conditions for security, see [341 ] . 

In a popular book, "The Code Book", the author, Si- 
mon Singh 35] proposed that quantum cryptography will 
be the end point of the evolution of cryptography with 
the ultimate victory of the code-makers. Our view is 
different. First, quantum cryptography will complement 
conventional cryptography, rather than replacing it en- 
tirely. Second, in order to ensure that a practical QKD 
system is secure, it is important to verify that the as- 
sumptions made in the security proofs actually hold in 
the practical system. Third, QKD does enjoy a funda- 
mental advantage over conventional cryptography in the 
sense that, after a quantum transmission, unlike conven- 
tional cryptography, there is no classical transcript left 
for the transmission! Therefore, for an eavesdropper to 
break a QKD system, she has to possess the required 
quantum technology right at the time of quantum trans- 
mission. For this reason, a skillful eavesdropper can and 
should invest heavily in quantum technology now, rather 
than later, to exploit unexpected loopholes in a prac- 
tical QKD system. In summary, there is no substitute 
for battle-testing. We need quantum hackers as much 
as quantum cryptographers. We live in an exciting time 
where the interplay between the theory and practice of 
quantum cryptography has just begun. The everlasting 
warfare between code-makers and code-breakers contin- 
ues. 
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